CSE Broke Privacy Laws With Metadata Sharing, Watchdog Says

The Communications Security Establishment passed along the information — known as metadata — to counterparts in the United States, Britain, Australia and New Zealand, said Jean-Pierre Plouffe, who keeps an eye on the highly secretive agency.

Metadata is information associated with a communication — such as a telephone number or email address — but not the message itself.

The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for information of intelligence interest to the federal government.

Documents leaked in 2013 by former American spy contractor Edward Snowden revealed the U.S. National Security Agency — a close CSE ally — had quietly obtained access to a huge volume of emails, chat logs and other information from major Internet companies, as well as massive amounts of data about telephone calls.

Metadata not harmless: privacy advocates

As a result, civil libertarians, privacy advocates and opposition politicians demanded assurances the CSE was not using its extraordinary powers to snoop on Canadians.

The spy agency is legally authorized to collect and analyze metadata churning through cyberspace, and it inevitably comes across data trails about Canadian messages and calls.

Privacy advocates have stressed that metadata is far from innocuous, as it can reveal much about a person's online behaviour.

In his annual report for 2014-15, completed last year but made public only Thursday, Plouffe said certain CSE metadata activities raised legal questions that he continued to examine and assess.

In a statement, Plouffe said he has since completed that legal assessment.

In collecting metadata, the CSE is required to take measures to protect the privacy of Canadians.

Plouffe said the spy service discovered on its own that certain types of metadata containing Canadian identity information were not being properly "minimized'' — removing potentially revealing details — before being shared with the CSE's four key foreign partners.

The former head of the CSE informed the watchdog, as well as the defence minister, about the matter. CSE then suspended the sharing of this metadata with its partners.

After "careful examination,'' Plouffe concluded that the CSE's failure to strip out certain Canadian identity information violated the National Defence Act and therefore the federal Privacy Act as well.

Plouffe informed the defence minister and the attorney general of his findings.

The watchdog concludes that while the CSE's actions were "not intentional'' the spy agency did not exercise "due diligence when it failed to ensure that the Canadian identity information was properly minimized.''

In a statement, Defence Minister Harjit Sajjan, the cabinet member responsible for the CSE, said the metadata that was shared with Canada's partners "did not contain names or enough information on its own to identify individuals'' and that the privacy impact "was low.''

Nonetheless, Sajjan said the CSE will not resume sharing this information with partners until he is "fully satisfied'' effective systems and measures are in place.